The critical Microsoft Windows and Office vulnerability that came to light two days ago is being more widely exploited than previously reported, making it more urgent that end users install a temporary fix right away.

Early research into the zero-day exploit detected only highly targeted attacks on individuals or companies that were mostly located in the Middle East and South Asia. More often than not, the word "targeted" is used to describe espionage campaigns aimed a particular company or industry. Now, researchers at two security firms have uncovered evidence that the same critical flaw—found in Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync—is also being targeted in wider-ranging hacking campaigns being carried out by multiple gangs, including one made up of financially motivated criminals.

The more recently discovered attacks are being carried out by the same India-based group behind Operation Hangover, a malware campaign first detected earlier this year, researchers from security firm FireEye wrote in a recent blog post. The researchers went on to say that the same attacks—which exploit weaknesses in the way Microsoft code processes TIFF images—is being waged by yet another group, alternately dubbed Arx and Ark, to deliver the Citadel trojan. Citadel is a highly malicious piece of malware that's mostly used by criminals to access and liquidate online bank accounts.

Similar to the methods Microsoft described on Tuesday, the Arx group attached booby-trapped Word documents to e-mails that carried subjects related to online money transfers. When targeted individuals opened the document on vulnerable computers, the machines were infected with Citadel.

"The use of this zero-day exploit (CVE-2013-3906) is more widespread tha(n) previously believed," FireEye researchers wrote. "Two different groups are using this exploit: Hangover and Ark. Hangover has been previously connected with a targeted malware campaign, and the Ark group is operating a Citadel-based botnet for organized crime."

Symantec has published its own post citing evidence that the TIFF vulnerability is being exploited by the group behind Operation Hangover. It's the first time the group has been observed using a zero-day attack. Symantec provides answers to frequently asked questions here.

It's not uncommon for initial reports of an ongoing zero-day attack to understate its magnitude. Such understatements are largely unavoidable, since researchers are working with incomplete information that only increases in the days following their disclosure. That's why it's always a good idea to take reports like these seriously by following any available mitigation advice, even if users think that the likelihood they are vulnerable is low.

Microsoft has issued a temporary fix here that takes only a minute or two to install. Readers with vulnerable machines are strongly advised to run the Fixit if they haven't already.

Promoted Comments

The original Ars article on this exploit said that Office running on Windows 7, 8, and 8.1 is unaffected. It might be useful to include that detail in this article as well, to make it easier for people to determine if this is something that they should be deploying across the systems that they manage ASAP.

"the same critical flaw—found in Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync"

Finish the paragraph, please. Office 2010 is only vulnerable pre-Win7. Another good reason to move on from XP.

Quote:

The vulnerability affects Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. The way Office 2010 renders graphics makes it vulnerable only when running on older platforms such as Windows XP or Windows Server 2003. Office 2010 isn't affected when running on version 7, 8, and 8.1 of Windows.

The advice to not open any files from any unknown senders is always valid. Also, one should be very wary of any unexpected/unexplained attachments form anyone. I make this distinction because often one will receive attachments from co-workers, family, and friends. though if something looks odd, always verify with purported sender.

Is there any email address spoofing going on with these emails to make the recipient more likely to open the attachment?

In the end it doesn't matter at all if your organization gets nailed by this. If you haven't taken steps to protect people from being taken in by this exploit, you aren't doing anyone any favours and aren't displaying a whole lot of intelligence yourself.

The fix can be downloaded as an MSI - that might be more useful than a button on a website for some folks.

By the way, the only time I've ever called a customer "a stupid-ass LUSER" was after they were told 6 different times to not open a particular attachment that was making the rounds (many eons ago in the Win95 days) and did so anyway - they got written up I didn't. Just sayin'...

Another heap overflow in the MS legacy code (MSCOMCTL.DLL). MS has been fixing these for over 10 years now, and there are still some left. Can you imagine what other legacy companies' code looks like and how many similar vulnerabilities do they have in their code going back to the 90s or even earlier, if they are this hard to find and eliminate?

It would interesting if some forensic work was done on this zero-day exploit to see if it was: a) known to Microsoft through internal means or private disclosure by a security researcher, b) subsequently disclosed to some governmental agency for use in spying (rather than being immediately fixed), c) and then discovered/exploited by nefarious groups for less than savory purposes.

We're stuck between a rock and a hard place. A sizable portion of our user base needs to access TIFF files, but if I understand the temporary fix, it disables the ability to open/view TIFF files completely. We had chosen to not apply the fix given initial reports that it was highly targetted, but this news is worrying.

According to the linked KB, the vulnerability (or at least the fix) only applies to Server 2k8 and Vista or earlier. Can someone confirm that this doesn't apply to Win7?

As stated in the article, the vulnerability affects Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. This is what Microsoft has said all along. I'm not aware of anyone who has independently confirmed this, but so far, I haven't heard anyone contradict it, either.

I guess some people must work in environments where it is difficult to distinguish between valid emails and spam. It amazes me how an email from an unknown sender containing attachments speaking of money orders can still be effective these days. I mean, seriously, it truly boggles my mind. I would be no more surprised by that than someone who didn't know how to use a door handle.

I know the average computer user isn't very smart about computers (I work in the industry), but I must seriously be out of touch because the fact that this stuff works just floors me.

We're stuck between a rock and a hard place. A sizable portion of our user base needs to access TIFF files, but if I understand the temporary fix, it disables the ability to open/view TIFF files completely. We had chosen to not apply the fix given initial reports that it was highly targetted, but this news is worrying.

That does sound like a hassle. I'm a designer, and work with TIFFs on a regular basis.

What is it about this image format that makes it a good attack vector?

We're stuck between a rock and a hard place. A sizable portion of our user base needs to access TIFF files, but if I understand the temporary fix, it disables the ability to open/view TIFF files completely. We had chosen to not apply the fix given initial reports that it was highly targetted, but this news is worrying.

That does sound like a hassle. I'm a designer, and work with TIFFs on a regular basis.

What is it about this image format that makes it a good attack vector?

I don't believe it's TIFFs in general. It's only in TIFFs embedded in Microsoft Office Documents. If you work with TIFFs I'm guessing you have software to work with those files and that software, I'm guessing here, probably isn't using the same code to render and isn't susceptible.

We're stuck between a rock and a hard place. A sizable portion of our user base needs to access TIFF files, but if I understand the temporary fix, it disables the ability to open/view TIFF files completely. We had chosen to not apply the fix given initial reports that it was highly targetted, but this news is worrying.

That does sound like a hassle. I'm a designer, and work with TIFFs on a regular basis.

What is it about this image format that makes it a good attack vector?

I don't believe it's TIFFs in general. It's only in TIFFs embedded in Microsoft Office Documents. If you work with TIFFs I'm guessing you have software to work with those files and that software, I'm guessing here, probably isn't using the same code to render and isn't susceptible.

EDIT: This is about how Microsoft Office products render TIFFs.

Ah, ok thanks. I'll run this past the guys in the morning and revisit the notion of deploying the fix.

The original Ars article on this exploit said that Office running on Windows 7, 8, and 8.1 is unaffected. It might be useful to include that detail in this article as well, to make it easier for people to determine if this is something that they should be deploying across the systems that they manage ASAP.

The original Ars article on this exploit said that Office running on Windows 7, 8, and 8.1 is unaffected. It might be useful to include that detail in this article as well, to make it easier for people to determine if this is something that they should be deploying across the systems that they manage ASAP.

"the same critical flaw—found in Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync"

The original Ars article on this exploit said that Office running on Windows 7, 8, and 8.1 is unaffected. It might be useful to include that detail in this article as well, to make it easier for people to determine if this is something that they should be deploying across the systems that they manage ASAP.

Microsoft updated its image decoding stack in Windows beginning in Windows Vista, but I believe the TIFF decoder was rewritten for Windows 7:

The original Ars article on this exploit said that Office running on Windows 7, 8, and 8.1 is unaffected. It might be useful to include that detail in this article as well, to make it easier for people to determine if this is something that they should be deploying across the systems that they manage ASAP.

"the same critical flaw—found in Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync"

Finish the paragraph, please. Office 2010 is only vulnerable pre-Win7. Another good reason to move on from XP.

Quote:

The vulnerability affects Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. The way Office 2010 renders graphics makes it vulnerable only when running on older platforms such as Windows XP or Windows Server 2003. Office 2010 isn't affected when running on version 7, 8, and 8.1 of Windows.

In the end it doesn't matter at all if your organization gets nailed by this. If you haven't taken steps to protect people from being taken in by this exploit, you aren't doing anyone any favours and aren't displaying a whole lot of intelligence yourself.

The fix can be downloaded as an MSI - that might be more useful than a button on a website for some folks.

By the way, the only time I've ever called a customer "a stupid-ass LUSER" was after they were told 6 different times to not open a particular attachment that was making the rounds (many eons ago in the Win95 days) and did so anyway - they got written up I didn't. Just sayin'...

One of my friends does IT consulting. He told me that a few weeks ago one of his clients got one of the ransomware things. Encrypted everything on their network. Luckily he had instituted a very good backup system so they only lost that days work. The guy that downloaded the ransomware went so far as to disable the antivirus running on his computer that kept telling him it was bad. My friend is pretty sure the guy was going to get fired for it. This particular idiot was a lawyer.

The original Ars article on this exploit said that Office running on Windows 7, 8, and 8.1 is unaffected. It might be useful to include that detail in this article as well, to make it easier for people to determine if this is something that they should be deploying across the systems that they manage ASAP.

"the same critical flaw—found in Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync"

Finish the paragraph, please. Office 2010 is only vulnerable pre-Win7. Another good reason to move on from XP.

Quote:

The vulnerability affects Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. The way Office 2010 renders graphics makes it vulnerable only when running on older platforms such as Windows XP or Windows Server 2003. Office 2010 isn't affected when running on version 7, 8, and 8.1 of Windows.

I appreciate your help reiterating the pertinent parts of my previous coverage, DetroitRhino. Thanks so much.

Readers, please remember that I publish more then 300 articles per year. Given that load, it's not always possible for me to repeat every detail included in a previous article. Rather than point out what you think is an omission, please summarize the pertinent information in a comment and propose it be added. If I agree with you, I'll update the post or promote the comment so others will see it.

The original Ars article on this exploit said that Office running on Windows 7, 8, and 8.1 is unaffected. It might be useful to include that detail in this article as well, to make it easier for people to determine if this is something that they should be deploying across the systems that they manage ASAP.

"the same critical flaw—found in Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync"

Finish the paragraph, please. Office 2010 is only vulnerable pre-Win7. Another good reason to move on from XP.

Quote:

The vulnerability affects Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. The way Office 2010 renders graphics makes it vulnerable only when running on older platforms such as Windows XP or Windows Server 2003. Office 2010 isn't affected when running on version 7, 8, and 8.1 of Windows.

And how is that not clear from the fact that the article states that the flaw is found in "Windows Vista, Windows Server 2008"?

Now it's not very nicely phrased, but applying basic logic means that if it was purely a flaw in one of the products there wouldn't be any mention of any OS. So listing both products and OS should make it obvious that there's only a security flaw in any of the possible combinations..

And how is that not clear from the fact that the article states that the flaw is found in "Windows Vista, Windows Server 2008"?

Actually, the flaw is in the image decoding found in GDI+, a component which Vista and Office both use.

* If you run Vista (without Office), you are vulnerable (except the attack vector would not be a .docx file) because the Vista OS contains a vulnerable GDI+.

* If you run Office on XP, you are vulnerable because the vulnerable GDI+ used by Office apparently supersedes XP's non-vulnerable GDI+ (XP itself is listed in the security advisory as an unaffected product).

* If you run Office on W7 or newer, it's unaffected, because Office in this case uses the OS's unaffected GDI+.

So no, the statement above did not mean Vista and Office; it meant Vista or Office, which is why the exception of "except when Office is on 7 or newer" is required for correctness.

The original Ars article on this exploit said that Office running on Windows 7, 8, and 8.1 is unaffected. It might be useful to include that detail in this article as well, to make it easier for people to determine if this is something that they should be deploying across the systems that they manage ASAP.

"the same critical flaw—found in Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync"

Finish the paragraph, please. Office 2010 is only vulnerable pre-Win7. Another good reason to move on from XP.

Quote:

The vulnerability affects Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. The way Office 2010 renders graphics makes it vulnerable only when running on older platforms such as Windows XP or Windows Server 2003. Office 2010 isn't affected when running on version 7, 8, and 8.1 of Windows.

And how is that not clear from the fact that the article states that the flaw is found in "Windows Vista, Windows Server 2008"?

Now it's not very nicely phrased, but applying basic logic means that if it was purely a flaw in one of the products there wouldn't be any mention of any OS. So listing both products and OS should make it obvious that there's only a security flaw in any of the possible combinations..

The OS is also a product.

It's not clear that computers without Office installed are not affected.

It's not clear that computers with Office installed on other Windows versions are not affected.

The original Ars article on this exploit said that Office running on Windows 7, 8, and 8.1 is unaffected. It might be useful to include that detail in this article as well, to make it easier for people to determine if this is something that they should be deploying across the systems that they manage ASAP.

Microsoft updated its image decoding stack in Windows beginning in Windows Vista, but I believe the TIFF decoder was rewritten for Windows 7:

Few of the articles I've read have made it clear that Office 2007 on Windows 7 is affected.

Office 2010 on Windows 7 isn't affected, and that was spelled out very clearly in the previous Ars article.

However, Office 2007 on Windows 7 is still a common deployment for in-use hardware, and we have many machines in the field with this combination.

At first, I presumed they were fine, as the only OSes affected were "Windows Vista and Windows Server 2008". However, reading into the vulnerability more, it appears it most certainly affects Windows 7 machines running versions of Office earlier than 2010.

The original Ars article on this exploit said that Office running on Windows 7, 8, and 8.1 is unaffected. It might be useful to include that detail in this article as well, to make it easier for people to determine if this is something that they should be deploying across the systems that they manage ASAP.

"the same critical flaw—found in Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync"

Finish the paragraph, please. Office 2010 is only vulnerable pre-Win7. Another good reason to move on from XP.

Quote:

The vulnerability affects Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. The way Office 2010 renders graphics makes it vulnerable only when running on older platforms such as Windows XP or Windows Server 2003. Office 2010 isn't affected when running on version 7, 8, and 8.1 of Windows.

I appreciate your help reiterating the pertinent parts of my previous coverage, DetroitRhino. Thanks so much.

Readers, please remember that I publish more then 300 articles per year. Given that load, it's not always possible for me to repeat every detail included in a previous article. Rather than point out what you think is an omission, please summarize the pertinent information in a comment and propose it be added. If I agree with you, I'll update the post or promote the comment so others will see it.

Dan,

I hope you weren't taking that as a criticism. It wasn't even directed towards you. It was merely completing what I thought was an ambiguous comment.